Script Safe is a privacy and security extension that gives Firefox users better control over what gets loaded when web pages are opened in the browser, and what web pages may do or access.

Script Safe for Firefox

The extension is configured to block many elements that sites may load by default. This includes scripts, iframes, embedded objects, and audio or video content. In fact, the only elements that websites are allowed to load, besides the actual HTML page and stylesheet are images, Noscript elements, and Data URLs.

You can change this default behavior in the program settings. There you may switch from block to allow mode if you prefer that for instance, and customize the default behavior in detail.

The extension adds an icon to the main Firefox toolbar. A click on it displays either nothing at all, if you use the default block mode, or the connections that the site makes.

This default behavior, of not showing any connections, is a bit problematic from a usability point of view. While this may not be an issue if the site works as expected, you cannot control individual connections unless you set the main domain to "allow".

You may need to do a hard refresh of the page afterwards (using Ctrl-F5) as the list of connections is not displayed otherwise.

You control each connection a site makes individually, so that you may allow or block individual connections, trust or distrust them.

Script Safe supports whitelisting and blacklisting which automates the functionality. Use it to whitelist trusted sites or connections that are required for functionality that you need, or to blacklist sites that you distrust.

Script Safe uses several hosts file lists to block unwanted content regardless of the mode the extension is run in. This means basically that it will block many advertisement, malware or tracking domains even if you set the program to allow mode, or allow connections on a particular site temporarily. You can still whitelist these domains manually, but there is a setting that prevents these from being loaded even if whitelist.

What more? Script Safe blocks unwanted cookies from the same range of domains as well, protects the local IP address from leaking when WebRTC is used, and blocks so called web bugs on top of that.

You can add the following blocking options on top of all that:

Block social widgets, e.g. Facebook like buttons.

Remove Google Analytics tracking.

Block click-through referrer information.

Spoof the user-agent, referrer, or timezone (does not work in Firefox properly it seems).

You are probably wondering how Script Safe compares to NoScript or uMatrix. Script Safe has a couple of usability issues, but the WebExtensions version of NoScript has them also. The main issue with ScriptSafe is that while it comes with an auto-reload feature that is enabled by default, that it does not work properly (at least not on the system I tested it on as I had to force refresh the page to get the changes to apply).

Script Safe adds fingerprinting and other privacy protections and enhancements to the browser however, more than many anti-fingerprinting extensions offer.

Closing Words

The first version of Script Safe for Firefox is up to a promising start. The developer needs to sort out some features of the extension, and work on the usability part as well. I can see this become a very popular extension though in the long run.

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats (video ads) or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

About Martin Brinkmann

Martin Brinkmann is a journalist from Germany who founded Ghacks Technology News Back in 2005. He is passionate about all things tech and knows the Internet and computers like the back of his hand.
You can follow Martin on Facebook, Twitter or Google+

For the desktop is seems we have a plethora of tools available to secure our privacy to a significant degree.

What are the equivalent tools for the Android smartphone platform?

I confess some ignorance on that platform, but find that it is an increasing necessity to use well beyond just email and phone/text. Our “portal” to the web from the desktop is mainly through a browser. Android (and iPhone) does have a browser, but a great deal is via apps as well.

Don’t want to derail the topic here with long discussion, so maybe people can provide links to pages where this is more broadly discussed.

You know, the fewer the apps, the better; also use good VPN (always on) on phone. I never take OTA updates from ISP, either — the older the build, the more likely you’ll be able to use unlock bootloader/root method (go to xda to learn ins and outs of your phone, preferably before buying, but even now, just to see if there’s bootloader unlock method. If so, there will be instructions how to unlock bootloader and root). Often there are privacy-focused ROMs you can download and install.

You never had to login to goolag, ever: most playstore apps AND MORE at aptoide, and often apks of same app are available on developer’s site or xda. Get browser that supports decent privacy (not stock or Chrome), just be sure to have a VPN client running (NordVPN is my favorite; pick servers to install, choose always on, delete app).

I tend to stay away from goolag services entirely, but alternate no-login youtube apps are out there, OR a decent privacy browser, plus bookmarks of account pages you would normally subscribe to, is just as good. And you don’t have to log in to google/youtube.

Hey, speaking of hosts, MVPS hosts file has been updated on 30.11.2017 (I just noticed) and a search for “coin-hive” returns eleven blocked addresses! A real kick in the teeth for all those people who want to make the internet a worse place for everybody else (:

Yeah, I know it’s abandoned (it can’t be ported to WebExt), but it still works.
I don’t actually use it to spoof the user agent periodically (it makes you stand out from the crowd). What’s actually useful about the add-on are all the other options – spoofing headers (ETags, Via, X-Forwarded-For, language), script injection (which allows screen size spoofing; I’m not aware of any other way to do that), and using the add-on’s UI to quickly toggle some settings (like local dom storage, which some sites require).

You can run 100 extension/addons, several isolated VM’s with several different operatings systems and you’re same secure as running none of them – the reason is that using programs making you not more secure, this is a myth. It might lower the attack scenario but that’s all, it not prevents someone to MITM your internet connection, manipulating your DNS, faking emails or login fields and more. In the past every deep web guy made stupid mistakes and they all got busted and none of them used 100 extension/addons. They get busted by stupid little mistakes which is difficult to see for you or any of these so called security addons.

What difference it make if you use noscript but you need to allow javascript + cookies + dom and other crap when you’re forced to login into the page? Right nothing cause you can’t use them without breaking several things, of course now several people gonna say, okay I not login into any page. Right, but there are other ways to get you, especially while writing eMails, using Amazon and more. I never heard someone use the internet without leaving traces behind – it’s a matter of time.

The thing is that none of such suites, AV’s or so called ‘security’ tools are helpful if the user has no control over it or if he is unable to use it properly. I’m not sure that people got that part. But when you never visit e.g. page xyz you not need to block it at all because your pc not makes magical connections on it’s on to this domain, there of course cross references e.g. if your daily visited page adds a e.g. like button on it which might ping back to facebook & co. but then you simply could work in general with a whitelist instead, because if you visit a lot of pages it’s almost impossible to track all website changes and merge it with your programs – however then you have less work with working with a whitelist because you take then control over the dns/domain requests – at this point you not need any tools except your router.

The rest of the attack levels are browser related which needs to be fixed within the code not with a addon.

But I let you guys believe that more tools help more —> it’s exactly the opposite. Snake oil FTW! We had it years with antivirus programs, I wonder how long it takes it’s the same with extensions… Maybe also 25 years…..

Back in the day, Giorgio Maone (developer on NoScript) evaluated the possibility of porting NoScript to Chrome. He concluded that it was not possible and that add-ons that claimed to provide script blocking functionality weren’t secure somehow (I don’t remember the details), because of Chrome APIs.

So I am rather wary about such a recent port to Firefox. It would be nice if someone was able to see what I’m talking about and provide insight on it.

Visit “forums.informaction.com” and read 7 years old threads, I’m sure you’ll find some info stuck between two unrelated posts after reading for 10 hours. Probably the info will apply to 2017, crossing fingers.

Close the browser every X minutes. Close the browser before logging into any site. Close the browser after logging out of any site. Keep it open when cookies and JS are not needed. Tor, VPN are snake oils, unpolished turds that cannot be polished at all.

About gHacks

Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.